Trojan.Downloader.Java.Openstream.W

SYMPTOMS:

Possible presence of the IstBar toolbar in Internet Explorer.

TECHNICAL DESCRIPTION:

This malware is in the form of a java applet that runs from the client's machine when a web page containing it gets loaded, if the user accepts its certificate! Also, the applet class has code that enables it to run as a standalone application but this is not the way users get infected.

This trojan may also come with Byteverify exploit for a silent install.

Applet mode execution:

When running, the applet downloads a virus named Trojan.Downloader.IstBar.Gen from a hardcoded url: http://www.ysbweb.com/ist/[removed], which is saved under the name "iinstall.exe" in the user's temporary directory.

The java code is written such that eventual error messages will be visible by the user from the browser's java console, if enabled.
When complete, the downloaded file is executed and thus a new malware, that silently sets up a toolbar in Internet Explorer, is installed.

 

Standalone application execution:

This happens if the user doubleclicks the jar archive containing the above applet.
When executed, a window in the middle of the screen appears, with the title "Applet Frame" and the same malware action as the one described above happens.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Marian RADU ,virus researcher